Thousands of MSPs engage in merger and acquisition (M&A) discussions each year, and perhaps 1,000 MSPs complete M&A deals during a 12-month window. The M&A discussions can trigger a range of emotions and business outcomes. But now, they can also trigger heightened cyberattack risks.
Indeed, businesses must now worry about ransomware attacks that specifically exploit the M&A discussions, according to a Private Industry Notification from the Federal Bureau of Investigation (FBI). The specifics: Ransomware crews are likely using "significant financial events," such as mergers and acquisitions, to identify cyber hijacking targets, the FBI warned in the alert.
How The Attacks Work
Admittedly, much of the concern involves publicly held companies. But privately held MSPs and private equity firms also need to raise their defenses. The reason: Ransomware actors frequently search for non-public information, which they can threaten to release ahead of important financial events if the victim refuses to pay a ransom. Events that could affect a victim’s stock value -- such as announcements, mergers and acquisitions -- can strongly influence a ransomware gang’s timing in an extortion operation.
At first glance, most MSP M&A discussions likely fly far below the radar of ransomware groups. But some MSPs, backed by private equity firms, have gained substantial scale. A few are marching toward $1 billion valuations. And some parent companies are now publicly held -- which means hackers can troll publicly available information to select potential victims.
The dangers don't end there. MSPs are often privy to M&A discussions involving their end-customers. During the due diligence process, buyers and sellers often loop in their MSPs to draft preliminary IT integration and migration plans. The MSP essentially becomes part of the M&A deal's overall communications chain. As a result, the "in the know" MSPs may also wind up on hacker radars.
Example Cyberattacks Involving Financial Events
The FBI pointed to instances in which ransomware hackers sought to leverage a victim’s financial information prior to and after an attack. In one event, a ransomware actor posting on the Russian hacking forum "Exploit" urged other hackers to use the NASDAQ stock exchange as leverage in a cyber extortion: “We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what's gonna (sic) happen with your stocks.”
In another example, between March and July 2020 at least three publicly traded U.S. companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations.
And, in April 2021, Darkside ransomware actors posted a message on their blog site to show their interest in influencing a victim’s share price. The message stated, “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”
How MSPs, End-Customers Can Mitigate Ransomware Attack Risks
The FBI has issued six recommendations for companies to protect themselves from a ransomware attack:
- Back-up critical data offline. Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
- Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.
- Install and regularly update anti-virus or anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks.
- Use two-factor authentication for user login credentials, use authenticator apps rather than email as actors may be in control of victim email accounts and do not click on unsolicited attachments or links in emails.
- Implement least privilege for file, directory, and network share permissions.
Cybersecurity specialists also weighed in on the issue. “Organizations need to consider the cost of the initial ransom requested and the cost of a damaged public image or leaked proprietary information to a competitor,” said Josh Brewton, vCISO at Cyvatar, an Irvine, California-based managed security services provider. “There are many different driving factors, but they all end at the same point; the need for a secure and resilient network utilizing defense-in-depth to minimize the possibility of such events,” he said.
Garret Grajek, chief executive at YouAttest, a cloud-based identity and governance administration solution provider, said reconnaissance is a “key part” of any malware attack. “The attackers try to collect as much publicly available information on the target. And now that all entities, people and enterprises are living beings on the internet, there is much to be gathered,” he said. “The key is to assume that data is being collected on the entity that wishes to stay protected and to shore up their defenses.”
Additional insights from Joe Panettieri.
